Venue: Please note that this meeting be held virtually on Zoom
Contact: William Troop Tel: (01279) 502173 Email: firstname.lastname@example.org
To receive apologies for absence
Apologies for absence were submitted on behalf of Councillor Huggins. It was noted that Councillor Curtis was substituting for Councillor Huggins.
To confirm the Minutes of the meeting of the Performance, Audit and Governance Oversight Committee held on Tuesday 19 May 2020
It was moved by Councillor Ward-Booth and seconded by Councillor Curtis that the minutes of the meeting of the Committee (formerly called the Performance, Audit and Governance Oversight Committee), held on 19 May 2020 be confirmed as a correct record and signed by the Chairman. After being put to the meeting and a vote taken, the motion was declared CARRIED.
RESOLVED – that the Minutes of the meeting held on 19 May 2020 be confirmed as a correct record and signed by the Chairman.
The Chairman welcomed the new members of the Committee, Councillors Fernando, Ward-Booth and Huggins, although the latter was not in attendance. He also welcomed William Troop, the new Democratic Services Officer.
Declarations of Interest
To receive any Members' declarations of interest
There were no declarations of interest.
Cyber Security - presentation by Helen Standen and Ruth Luscombe
Ruth Luscombe, Assistant Director of Digital and Transformation at Stevenage Borough Council (SBC), gave a presentation updating Members on the current state of Cyber Security across the IT partnership between the Council and SBC.
The internal audit which had been carried out in the financial year of 2018/19 had identified a number of risks and associated management actions. Whilst progress had been made, there were still five outstanding areas to address, of which two were high risk areas:
· Unauthorised devices attempting to connect to IT network (high risk);
· Inappropriate firewall configuration and absence of defined firewall management procedures (high risk);
· Inadequate training on information and cyber security (medium risk);
· Absence of approved cyber security incident management procedures (low/ advisory risk);
· Inadequate monitoring of network activity and network performance (low/ advisory risk).
In relation to the first and final of the outstanding areas, the Council had made progress by implementing the Microsoft Intune based Mobile Device Management (MDM) and Mobile Application Management (MAM) solution. This allowed the remote management of devices connected to the network. All new devices were now registered through this software and full implementation was expected by the end of the third quarter of 2020. Another related outstanding action was the implementation of a network access control mechanism to identify, review and report on devices that had physically connected to the IT network. Procurement for this was ongoing and was expected to be completed by the end of the current financial year.
In relation to the second area, a specification for the replacement of firewalls was in preparation, with procurement planned to be completed by the end of October 2020. There was also work being carried out to document changes to the firewalls, which was anticipated to be completed by the third quarter of 2020.
In relation to the third area, and in particular staff training, the Council had implemented- and was currently testing- a meta-compliance product. This would give the Council the ability, amongst other things, to simulate phishing attacks and identify staff that may be particularly susceptible to these. Targeted training could then be arranged. The creation of an Information Governance Team, which would have responsibility for GDPR and cyber security training, was being sought. The scope and associated resourcing levels required approval from the Council and SBC. The target completion date was November 2020.
In the fourth area, the Council’s Cyber Security Incident Management Protocol was partially completed. After a period of preparation, the Council would engage an external vendor to complete the work. This process had been delayed due to the COVID-19 pandemic, but the Council hoped to complete this by the end of the third quarter of 2020.
The Chairman asked for further details regarding network access control and whether budget restrictions were still a constraint on the IT partnership between the Council and SBC.
The Assistant Director of Digital and Transformation said network access control also related to the in-tuning of devices, and that the Council planned to procure this work externally, ... view the full minutes text for item 103.
At the request of the Head of Strategic Finance and Property and with the consent of Members, the Chairman agreed to change the order of the agenda to bring forward the Annual Governance Statement (AGS), (Item 12 on the Agenda). The Head of Strategic Finance and Property said there was crossover between this item and the cyber security update and bringing forward this item would allow Members to raise questions with the Assistant Director of Digital and Transformation and the Deputy Chief Executive Officer before they left the meeting.
The Head of Strategic Finance and Property presented the AGS report, summarising the main key points. Particular reference was made to the improvements the Council had made, which had been noted by the Shared Internal Audit Service (SIAS). In the previous year, the Council had six limited assurance points and twenty one high priority points. Only one point of each category was noted this year. Other previous key problems, relating to issues such as the IT shared service and Section 106 payments, had been resolved. The report this year had highlighted problems again relating to IT, but high priority points had been swiftly addressed.
The Head of Stategic Finance and Property said that the Head of Legal and Democratic Services had carried out work to bring the Council’s Regulation of Investigatory Powers Act (RIPA) policy up to date. Officers were satisfied that appropriate governance arrangements were e in place, but referred to the need to address two issues going forward to ensure continuous improvement. First, by promptly addressing areas for improvement identified by SIAS and, secondly, by constructing a governance calendar to ensure key documents and policies were kept up to date.
Councillor Ward-Booth, said it was alarming that in the two years since GDPR legislation came into force, the Council had not been able to put the correct procedures into place, such as for the destruction of data. He asked whether there was a more concrete timeline for these targets to be achieved, as the AGS seemed rather non-committal on this aspect.
The Deputy Chief Executive said that progress had been made and the Council’s data retention schedule, which had previously not been located, had now been supplied to auditors for inclusion in the final draft. A report on GDPR was being prepared for the Leadership Team, which would then be presented to the Executive. It was also understood that the Assistant Director of Digital and Transformation would be carrying out a similar exercise for the Senior Leadership Team at SBC.
The Chairman asked that the Committee be kept up to date on this matter, and it was agreed this would be revisited at the Committee’s next meeting.
Councillor Stowe said that the Committee had received a report on Section 106 monies in September 2019 and commented that it would be useful if the Committee could once again receive this report in the upcoming September 2020 meeting. This was agreed.
Councillor Alder asked whether the Committee could be confident that ... view the full minutes text for item 104.
The Head of Strategic Finance and Property presented a report on external audit fees, and EY’s proposal to increase the fees by 67% from £40,295 to £67,244. It was explained that each year, the Public Sector Audit Appointments (PSAA) set the scale fee for the audit. Members were referred to the two Appendices: a letter from PSAA which set out further background, and a letter from EY, which set out their rationale behind the proposed increase. Members were informed that a number of other local authorities across Hertfordshire had also been asked to consider an increase.. It was recommended that Members agree to the proposal to defer the decision to the PSAA given their experience and expertise in these matters. It was noted that the PSAA could accept the proposal in full, agree to an increase but alter the proportion of increase, or reject the proposal in full.
Suresh Patel, EY’s representative, said that there was concern over the sustainability of downward pressure on audit fees generally. He explained that more work was now involved in the external audit, so an increase in fees was necessary to maintain the quality of the audit. EY were in discussion with the PSAA and the Council regarding the fees, as well as a number of other local authorities across the country.
Councillor Alder asked whether PSAA recommended an appropriate fee. She said the tone of EY’s proposal seemed to suggest that the audit quality would fall unless the Council agreed to the increase. She felt that the standard of the EY Audit should be maintained regardless. If the Council could procure the audit at the current fee, it would not make sense to approve an increase.
EY’s representative said the current fee scale represented what PSAA thought was a fair fee for the audit.
The Chairman said that in the private sector, generally auditors were also asking for increases in fees. It seemed sensible to defer the matter to the PSAA.
Councillor Corpe said that at a time when the Council was making cuts to key public services, such as Citizens Advice, it would difficult to agree to an increase without a very compelling argument for doing so. He agreed with the proposal to defer to PSAA, and noted the increase was large. Some of the arguments made by EY for the increase were not applicable to the Council, such as increased work relating to social housing comparisons. Furthermore, the audits of Millstream Property Investments Ltd were carried out by a different auditor. It did not seem reasonable to pass on costs, such as EY’s potentially delayed investment in appropriate IT systems to the Council.
EY’s representative said that it was correct that not all of the reasoning applied directly to the Council. He said whilst the proposed fees were on the higher end of the scale compared to competitors carrying out audits on public bodies, EY were the only firm from the ‘big four’ who undertook this kind of work.
Councillor ... view the full minutes text for item 105.
Simon Martin, the Shared
Internal Audit Service (SIAS) Officer, presented the Annual
Assurance Statement and Internal Audit Annual Report 2019/20. He
briefly summarised the purpose and contents of the report. The key
messages, contained in the report were that the Council’s
internal control framework was largely working well; 29 audits had
been carried out, with 83 recommendations made. SIAS had met or
exceeded all targets for 2019/20 and therefore the Council had the
vast majority of its internal audit plans successfully delivered.
The SIAS Officer summarised the content of the Audit
The SIAS Officer explained that as part of the recommendations, there was a need for Members to provide management assurance that the scope and resources for internal audit had not been subject to inappropriate limitations in 2019/20.
Councillor Corpe, queried the the term ‘agreed non-conformance’. The SIAS Officer said there were two levels of non-conformance. He explained what the two levels of non-comformance were.
The Chairman sought and was provided with clarification on a number of issues:
· The identity of the Head of Assurance at Hertfordshire County Council.
· The timescale for the external quality assessment of SIAS and potential auditors.
· The implementation of recommendations identified by the Information Management Audit.
· The improved position of Herts Home Improvement following the previous audit.
· The forthcoming high-profile recommendation from the draft Information Management Audit.
The Chairman asked the Head of Strategic Finance and Property for assurance that the scope and resources for internal audit were not subject to inappropriate limitations in 2019/20.
The Head of Strategic Finance and Property confirmed there had been no inappropriate limitations or restrictions.
It was moved by Councillor Corpe and seconded by Councillor Stowe that the recommendations, as detailed, be approved. After being put to the meeting and a vote taken, the motion was declared CARRIED.
RESOLVED – that (A) the Annual Assurance Statement and Internal
Audit Annual Report were noted by the Committee;
(B) the results of the self-assessment required by the Public Sector Internal Audit Standards (PSIAS) and the Quality Assurance and Improvement Programme (QAIP) were noted by the Committee;
(C) the SIAS Audit Charter was approved by the Committee; and that:
(D) management confirmation that there had been no inappropriate limitations on the scope and resources for the internal audit for 2019/20 be noted.
The SIAS Officer presented the SIAS Progress Report. As of 10 July 2020, 12% of the Audit Plan days had been delivered. As it was still relatively early in the year, most audits were due to start in the coming months, although six were already in progress.
The SIAS Officer explained that it was expected that more progress might have been achieved but a proportion of staff had been re-deployed due to the COVID-19 pandemic.
Further progress had been made from July 2020 onward, but a number of audits had been cancelled, with agreement from the Head of Strategic Finance and Property and the Leadership Team. There were now fewer outstanding recommendations in relation to cyber security, and the majority of the other recommendations had now been met and implemented.
The Chairman queried:
· whether it would be considered usual for the audits of the Grange Paddocks and Hartham Leisure Centre projects to be carried out by an external auditor;
· what aspects of these projects would be audited;
· whether this would form part of the annual external audit, or would this be a separate piece of work for which there would be an additional cost.
The SIAS Officer said it was unusual for internal and external audit work to overlap but that it was not unusual that amendments were made to the audit plan as it progressed. The scope of the external audit would be related to the procurement process in the projects.
The Head of Strategic Finance and Property said he understood that the additional work would form part of the external auditor’s value for money work, and would therefore form part of the main audit.
The Chairman asked that the Deputy Chief Executive provide Members with a verbal update on Incident Management following the meeting.
It was moved by Councillor Fernando and seconded by Councillor Corpe that the recommendations, as detailed, be approved. After being put to the meeting and a vote taken, the motion was declared CARRIED.
RESOLVED – that (A) the Internal Audit Progress Report be noted.
(B) the amendments to the Internal Audit Plan as at 10th July 2020 be approved; and
(C) the Status of Critical and High Priority recommendations be noted.
The SAFS Officer presented the SAFS annual update for 2019/20. He explained the broad purposes of SAFS, including deterring fraud, delivering relevant training to staff, managing internal and external communications and prosecuting fraud when other defences were bypassed. He explained the work of the SAFS since March 2020 had been somewhat disrupted by the COVID-19 pandemic, although adaptions had been made where possible.
It was noted that SAFS had been supporting the Revenue Team in their work making grant payments to businesses due to the pandemic. Only five applications out of around 1600 had been deemed to be fraudulent. He explained that work had also been done to identify phishing emails and other cyber scams seeking to exploit the pandemic, and this information had been shared with national anti-fraud organisations.
The SAFS Officer said that SAFS had been awarded the highest rating during the Joint Review Audit and positive feedback had been given. He summarised the content of the Appendices attached to the report.
Councillor Alder congratulated Officers on their hard work and, in particular, managing the payment of grants to businesses during the pandemic. She asked how much the Council had lost on the five fraudulent grant applications.
Whilst the SAFS Officer believed none of these applications were successful, it was agreed he would follow up on this via an email to Members.
Councillor Stowe, commented that in referring to Table 3 that it seemed that the Council generally received a fairly steady number of fraud referrals each year, of just fewer than 100. He asked why in 2016/17 this number jumped to 143. He also made reference to the mention of the additional £100,000 in council tax.
The SAFS Officer clarified the £100,000 was additional income for the Council, and said that in 2016/17 SAFS had also included some historic referrals which would not usually be included in the annual statistics.
The Chairman, referred to KPI 4 (fraud training given to staff and Members). He referred to the Council’s anti-bribery and whistle-blowing policy and procedures, and asked who was responsible for their review.
The SAFS Officer said the Section 151 or Monitoring Officer would take responsibility for these policies, with SAFS checking whether they fell within a coherent overall strategy.
The Chairman suggested it would be beneficial for the Committee to look at such policies.
The Scrutiny Officer said that the Head of Human Resources and Organisational Development was responsible for review of these policies, but that she would raise this matter with the Head of Legal and Democratic Services.
It was moved by Councillor Corpe and seconded by Councillor Ward-Booth that the recommendations, as detailed, be approved. After being put to the meeting and a vote taken, the motion was declared CARRIED.
RESOLVED – that (A) the Committee reviewed the Council’s work
to combat fraud in 2019/20 be noted; and
(B) the review of the performance of SAFS in meeting its KPIs in 2019/20 be noted.
The Head of Strategic Finance and Property presented the General Fund Revenue and Capital Outturn report. The key points for Members to note were:
The Revenue Outturn was close to budget, with an
underspend of £16,000, which would be taken into the General
There was an underspend of £30.91m in the
Capital Outturn due to the delay of several projects.
In the Net Cost of Services, there was an underspend
In the corporate budgets, the interest and
investment fund delivered an additional £149,000 on top of
the projected amount, due to the performance of the Property Fund.
This would be added to the General Reserve to offset poor
performance elsewhere; the COVID-19 pandemic had suppressed
interest rates and there were difficulties in obtaining rent from
some tenants. However, the property funds’ investments were
spread over a diverse range of investments.
There was a transfer of £2.555m to the
Collection Fund Reserve. Roughly £1.824m of this amount had
been from Section 31 income. £731,000 had been taken from the
Council’s participation in the Business Rates Retention Pilot
· In relation to the Capital Outturn, there was a spending programme of £41.672m, of which only £10.762m had been spent, leaving £30.898m to carry forward. Progress was now being made in relation to projects such as Northgate End Car Park and Grange Paddocks Leisure Centre, which would mean that these funds should be used throughout the financial year.
Councillor Corpe said that some content of this report had been considered at the Executive meeting on 7 July 2020 and asked whether it would be more appropriate for the Committee to have seen this report before the Executive. He said that it was positive to see that the Council had an underspend and that he hoped it could be diverted to services that had previously faced cuts. He asked what would be done with the underspend.
The Head of Strategic Finance and Property said the normal process would be that the Committee would consider this report prior to the Executive. However, due to COVID-19 pandemic, the Executive had asked for financial data to be presented to it as soon as it was available. He explained that normally it would be preferable for the schedule of meetings to be altered to allow this Committee to see this data first.
The Head of Strategic Finance and Property said that funds would be added to the General Reserve, which could be spent on projects as Members saw fit. It was within the remit of the Committee to make a recommendation to the Executive over the use of these funds.
The Chairman said that whilst there was an underspend, this was net of a use of £750,000 of reserves, which was not planned for at the beginning of the year. This demonstrated that it was prudent to transfer underspends to the General Reserve for unforeseen circumstances. For example, the biggest use of reserves was seen in the New Homes Bonus Priority Spend reserve.
The Head of Strategic Finance and Property presented the Draft Statement of Accounts 2019/20. It was noted that the Draft Accounts were scheduled to be published by 31 May 2020, and were due to be audited by 31 July 2020. However, owing to the COVID-19 pandemic, Central Government had changed the requirements. The Council was now required to publish the Draft Statement of Accounts by 31 August 2020, to be audited and published by 30 November 2020. As such, the Draft Statement of Accounts was being presented to the Committee a month before the statutory deadline. Assuming there were no delays in the external audit, which were not foreseen, audited accounts should be available to the Committee on 22 September 2020.
The Head of Strategic Finance and Property said that as a general rule, Members would be briefed on the key features of the accounts in a seminar prior to a Committee meeting, but this had been made difficult due to current circumstances, so a key summary was contained within the report. This contained: :
(A) Critical accounting policies and practices and any changes
(B) Decisions requiring a major element of judgement; and
(C) The extent to which the financial statements are affected by any unusual transactions in the year and how they are disclosed.
It was noted that IRFS 16 requirements on leases had been deferred due to the pandemic.
Members were advised that the Council was preparing group accounts for the first time, due to the establishment of the wholly owned subsidiary Millstream Property Investments Limited and its increased level of activity.
Officers assured Members that the Council had adequate resources to continue operation for the foreseeable future, due to a healthy balance sheet. There were significant fluctuations in the Pension Fund as well as movements in assets and liabilities, and the low rate of inflation had reduced the Council’s liabilities by around 10% due to anticipated wage stagnation. The Council’s pension liability would be paid over an extended period. Property, Plant and Equipment (PPE) had a value £63.315 million and another £15.486 million was added by investment properties.
The Chairman queried the impact on the Council if it was necessary for it to carry out work on the IRFS 16 requirements on leasing.
The Head of Strategic Finance and Property said that it would be a large piece of work, but as this was the second occasion the implementation of IRFS 16 had been postponed, some preparatory work had already been done and that it might not have a material impact on the accounts.
The Chairman referred to the Council’s Pension Liability and said this was the smallest liability in a number of years. He also mentioned the undervaluation of the Millstream properties, asked whether those accounts were audited at the time. The Chairman asked whether the valuation of the asset held for sale at the yearend was derived from cost.
The Head of Strategic Finance and Property said that the actuary used a prediction ... view the full minutes text for item 110.
The Scrutiny Officer presented the Work Programme Proposals 2020-21. It was noted that the performance function had been removed from this Committee’s remit and fell now within the remit of Overview and Scrutiny Committee.
It was noted a report from the Centre for Public Scrutiny (CfPS) on the overview and scrutiny function was expected soon, which would also give guidance on the governance role of this Committee.
The Scrutiny Officer said that there were plans for the establishment Constitution Review Work Group, and the Committee might wish to consider nominating a small number of Members to assist on the work of this Group She further added that following comments made during the evening that the Work Programme would need to be amended to reflect a request by Members regarding the need for further information on a Data Retention Schedule and Fraud Policies.
The Chairman asked that Members should be updated on Section 106 spending, as well as large capital projects, to ensure they were running on budget. He felt however, it would be prudent to await guidance from the external review as well as the opinion of the Head of Legal and Democratic Services. It was noted that Officers would be reporting later in the year in relation to a Section 106 update
The Scrutiny Officer said it was anticipated that the constitutional review and associated changes would define the governance function of the Committee more clearly.
Councillor Ward-Booth suggested that the Committee receive and update on Information Management and GDPR compliance and asked when the report from the Centre of Public Scrutiny would be received.
The Scrutiny Officer said that it was hoped that the report would be received by the end of the week.
The Committee discussed the review group to undertake the constitutional review. It was agreed that the particular details, including which Members would take part in this and the frequency of meetings would be arranged following further advice from the Head of Legal and Democratic Services.
Councillor Stowe asked whether the issue of Section 106 payments would form part of the future Work Programme. The Scrutiny Officer asked Members to specify what they would like to scrutinise in terms of Section 106 Agreement monies, given that they had been briefed the previous year on this matter and taking care not to encroach on the Overview and Scrutiny Committee’s remit.
Councillor Ward-Booth said it would be useful for a report to be received on the new processes, such as allowing local groups to bid for funding, which could be scrutinised from a governance point of view.
The Chairman said from an audit perspective, the Committee should ensure that the Council was receiving Section 106 monies from developers and that this was being spent within the limited time frame permitted.
It was moved by Councillor Corpe and seconded by Councillor Ward-Booth that the recommendations, as detailed, be approved. After being put to the meeting and a vote taken, the motion was declared CARRIED.
RESOLVED – ... view the full minutes text for item 111.